Become the Man-In-The-Middle with an Open Internet Proxy

Begin Learning Cyber Security for FREE Now!

Ever wanted to manage a chunk of internet traffic? Whether you are learning to use network management tools or doing something more nefarious, having a test bed of traffic is an important tool. Follow this tutorial and you’ll be the boss of more traffic than you can handle. I’m showing you how to create an open internet proxy with Squid.

What’s a proxy?

A proxy is a device that acts as an intermediary between your computer and the server that you are trying to reach. There are several reasons that you might want a proxy:

Masking network addresses: Hackers use proxies because their source address is hidden from the destination, making it non-obvious who is doing the hacking. People behind firewalls (for instance, people who can’t surf facebook at work) use proxies because the destination address is hidden from their corporate oppressors, making facebook appear despite the restrictions.

Caching: If you have multiple people requesting the same website, the proxy only has to get the files from the remote server once. In big networks this can save real money.

Policy Enforcement: The proxy can enforce policies (like no porn or gambling) for its users.

That last one is important. In order to effectively enforce policies, the proxy must be able to monitor and modify all the traffic. And if you run the proxy, those tools are yours.

What you need to get started

While it’s possible to do this on your personal desktop, it is not at all advisable. You should have a VPS – virtual private server. One with unmetered bandwidth. The one I use has 3 cores, 3Gb of RAM and 60GB SSD. It does really well at running squid plus doing the packet inspection things I want it to. You only need one IP address. In this tutorial, I’ll show you commands for Debian/Ubuntu – so that is the operating system you should pick.

Setting Up Squid

The first step is to install squid.

sudo apt update && sudo apt install squid

We configure squid via a 7900 line configuration file (no kidding) at /etc/squid/squid.conf. The file is that big because it’s also a large part of the documentation for each feature. Learn how to search for a phrase in your favorite text editor.

Here are the lines we need to add or modify.

http_port: This is the port that squid will be accessible on. Modify the existing line to make it become a more widely known port. It should read

http_port 8080

http_access: This tells squid who is able to access the server. You’ll see a line in the file that says “http_access deny all”, in the line above it, add

http_access allow all

dns_v4_first: This line will increase the performance of your squid proxy dramatically. At least it did for me. Find the line that says “# dns_v4_first off” and remove the # that indicates a comment, then change it to say

dns_v4_first on

Next we’re going to set up “delaypools“. These govern how much bandwidth Squid and your users are allotted. You can read all about it in the .conf file. Underneath the line that reads “# TAG: delay_pools” add the following

These lines say 1) there is only one delay pool, 2) delay pool number one is of class one (limits total bandwidth), 3) delay pool 1 is limited to this much bandwidth (these settings work out to ~2Mbps, don’t ask me how that math works), and 4) all traffic goes into delay_pool 1.

That’s it. You’ve done the bare minimum to get squid running well. Now let’s just restart it and we’re ready to go.

sudo service squid restart

Now you should be able to test your proxy by configuring your browser to use it. The hostname is the ip address of your VPS, and the port is 8080.

Wait for your traffic to come

For me, it was only 6 hours before my proxy was running at 2M per second. Some bot had clearly scanned port 8080 and found out about its true nature. They published it to a list, and other lists copied it. If that doesn’t happen for you, you can submit to a proxy list as well. But I would suspect a Squid misconfiguration before I suspected a lack of port scanning bots.

Other Tools You Probably Want

Here are a couple of good tools to use to keep an eye on your squid server. Squidanalyzer parses your squid logs to tell you about who is using your proxy and how, down to which urls individual users have accessed. NTOP is a great & easy to setup network monitoring solution, shows how your bandwidth is being consumed in close to real time.

You’re the captain now

Snoop, tamper, ban, prioritize, do whatever you want with your traffic. It’s yours. If you need some ideas for the type of possible mischief, check out this defcon talk from Chema Alonso. But be careful because there are laws.

Defending against rogue proxies

I should say a few words about defending yourself from this type of proxy. If you are using a proxy service, it’s hard to know if your data is being tampered with. My advice is to only use trusted network services. Do not voluntarily route your traffic through anyone offering to take it for free. And encrypt everywhere. But mostly just don’t use open proxies.

You are absolutely right for Ubuntu prior to 16.04. Starting with that release, “apt” replaces most of the functionality of “apt-get” and “apt-cache”. I should have been clear about the Ubuntu version I was working with in the article.

I find this a rather unusual article to find in a security focused community. An open proxy will rapidly start being used for all manner of nefarious purposes…

While I fully support a closed proxy + VPN perhaps to assist in protecting authorized users. Creating an open proxy in today’s world is bordering on folly and opening the owner of such to all manner of risk. For example when (and I say when not if) the proxy starts being used for illegal activities, the owner has just become a party to that activity.

Think long and hard before doing anything like this – there are much better ways to learn traffic analysis!

Good points. I absolutely agree that nefariousness will start immediately across any open proxy on the internet. But I don’t agree that there follows a legal or moral risk, at the worst there is an administrative burden of dealing with abuse complaints.

On the contrary, a nefarious user base is an ideal condition for learning about security. And having them out on a VPS is an great place to be able to turn it all off quickly if it gets to be too much.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.